# Introduction Passport 1.4, or "Tweener", as it's sometimes called, is an HTTP-based authentication system that was introduced with [MSNP8](../versions/msnp8.md). For [MSNP12](../versions/msnp12.md) and above, read the [Passport Request Security Token service](rst.md) article. For [MSNP18](../versions/msnp18.md) and above, read the Request Security Token service, version 2 article. # Nexus The Passport Nexus is a server that provides information to other parties about how to use Passport. It's default domain is `nexus.passport.com`. ## pprdr.asp The Passport Redirection service returns the `PassportURLs` header, which contains the `DALogin` parameter that is used to specify which server to attempt Passport 1.4 authentication with. ### Client/Request ``` GET /rdr/pprdr.asp HTTP/1.1 Host: nexus.passport.com ``` ### Server/Response ``` HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Content-Length: 0 PassportURLs: DARealm=Passport.Net,DALogin=login.passport.com/login2.srf,ConfigVersion=15 ``` Where `PassportURLs` (case-sensitive) contains the following parameters: * `DARealm`: The Domain Authority's realm name. * `DALogin`: The Domain Authority's login endpoint. * `ConfigVersion`: Increases by 1 every time that PassportURLs is updated to flush the URL cache. # Passport Login The Passport Login server is a HTTPS server that provides the login service (default is `login2.srf`) specified in `DALogin` from the [Nexus](#nexus) response. ## login2.srf The `login2.srf` endpoint is used for programmatic authentication. ### Client/Request ``` GET /login2.srf HTTP/1.1 Authorization: Passport1.4 Passport1.4 OrgVerb=GET,OrgURL=http%3A%2F%2Fmessenger%2Emsn%2Ecom,sign-in={user-handle},pwd={password},{server-args} User-Agent: MSMSGS Host: login.passport.com Connection: Keep-Alive Cache-Control: no-cache ``` Where `user-handle` is the URL-encoded user handle of the user to authenticate. Where `password` is the URL-encoded password of the user to authenticate. Where `server-args` is the parameter given to the server's response to the initial [USR](../commands/usr.md). ### Server/Response #### Authentication Redirection If the server you are authenticating to does not support your account type, but knows a server that does, this is used, otherwise [Authentication Successful](#authentication-successful) is. If you are redirected, you have to send the `Authorization` header again to the new server specified in `Location`. ``` HTTP/1.1 302 Found Cache-Control: no-cache cachecontrol: no-store Connection: close Authentication-Info: Passport1.4 da-status=redir Location: https://loginnet.passport.com/login2.srf?lc=1033 ``` #### Authentication Successful ``` HTTP/1.1 200 OK Cache-Control: no-cache cachecontrol: no-store Connection: close Content-Type: text/html Authentication-Info: Passport1.4 dastatus=success,from-PP='t=token&p=profile',ru=http://messenger.msn.com Content-Length: 0 ``` #### Authentication Failure The `dastatus` may instead be `failed-noretry`. ``` HTTP/1.1 Unauthorized Cache-Control: no-cache cachecontrol: no-store WWW-Authenticate: Passport1.4 dastatus=failed,srealm=Passport.NET,ts=-1,prompt,cburl=http://www.passportimages.com/XPPassportLogo.gif Content-Length: 154
```